10 Gig access switches: Not just packet pushers anymore

Pity the humble access switch. These packet pushers usually work so well they're stuffed into wiring closets and promptly forgotten. Packet in, packet out. End of story.

Or is it? If the results of Network World's latest switch tests are any guide, network managers may need a whole new lexicon just to make buying decisions. Our tests found seven next-generation switches bristle with features that don't exist in many previous models – not just physical features like 10Gigabit Ethernet uplinks but also 802.1X-based network access control authentication, enhanced multicast support, storm control, denial-of-service protection and IPv6 support.

We assessed switches – all of which sported 48 10/100/1000Mbps ports and two 10G ports -- in 10 areas, encompassing L2 and L3 IPv4 unicast and multicast performance, L2 multicast group capacity, 802.1X/NAC support, storm control, management and usability, power consumption, and features.

Overall, we found big differences in support and stability in products tested from Alcatel-Lucent, Cisco, Dell, D-Link, Extreme, Foundry and HP. For example:

• Multicast throughput and latency varied widely, but more basic issues like group capacity and even system stability were bigger differentiators in our tests. It took multiple software builds from some vendors just to get through industry-standard multicast tests, and then only using very different group counts.

• While all switches supported 802.1X authentication, there were major variations in the level of granularity of access control. Not every switch supported some common use cases, and two switches forwarded unauthenticated traffic when operating in so-called multi-auth mode, posing security issues.

• All devices had "storm control" features to help mitigate DoS attacks, but these varied widely in terms of rate control and signature detection.

• IPv6 support remains a work in progress. Some switches fully support IPv6; others can route IPv6 packets but can't be managed over IPv6; yet others lack support for IPv6 routing protocols.

No one switch excelled in all of the many areas we examined, making it difficult to pick winners across the board. Most switches do fine on simple forwarding of Ethernet and IPv4 unicast traffic. If that's all that matters to you, pick a switch on price and usability.

We wouldn't recommend that, though. Increasingly other areas matter more, including security, multicast, and IPv6 – and that's where real variations among products exist. Cisco's Catalyst 3750E is the most feature-complete device we tested, though the HP ProCurve 3500yl, Extreme Summit X450 and Foundry FastIron X448 also fared well in most areas.

Because access switches do more than previous-generation products, the first step in picking a product is determining which features matter most – L2 vs. L3, IPv4 vs. IPv6, unicast vs. multicast, managed vs. unmanaged, on-board security vs. no security – and then choosing the device that did the best job in these areas (compare more access switches in our Buyer's Guide).

There are plenty of differences among switches, especially when it comes to newer features. Just because basic functions long ago entered commodity status doesn't mean the switch wars are settled. Far from it; as our test results show, new additions such as multicast, 802.1X and security are making access switching interesting all over again.

Newman is president of Network Test, an independent test lab in Westlake Village, Calif. He can be reached at dnewman@networktest.com. Fellow Lab Alliance member Rodney Thayer also contributed to the testing completed for this article.

Thanks
Network World gratefully acknowledges the test equipment vendors that supported this project. Spirent Communications supplied its Spirent TestCenter Gigabit and 10 Gigabit generator/analyzer, and senior software engineer Timmons C. Player updated Spirent ScriptMaster for use in multicast testing. Juniper Networks provided Steel-Belted Radius Enterprise Edition 6.1; an IC 6000 network access server; and Odyssey 802.1X client software for our 802.1X NAC tests. Juniper engineers Denzil Wessels and Christian Macdonald provided extensive assistance with test bed setup. Thanks too to Fluke Corp., which provided Fluke 322 and 335 clamp meters for measuring power consumption. 

Newman is also a member of the Network World Lab Alliance, a cooperative of the premier reviewers in the network industry each bringing to bear years of practical experience on every review. For more Lab Alliance information, including what it takes to become a member, go to www.networkworld.com/alliance.